b'January 4, 2010\n\n\nINFORMATION SECURITY\nEvaluation of GAO\xe2\x80\x99s Information Security Program and\nPractices for Fiscal Year 2009\n\nObjectives: Although not obligated by law to comply, GAO has adopted the\nrequirements of the Federal Information Security Management Act of 2002\n(FISMA) to strengthen its information security program and demonstrate its\nongoing commitment to lead by example. GAO\xe2\x80\x99s Office of Inspector General\n(OIG) conducted an evaluation to assess (1) the effectiveness of the agency\xe2\x80\x99s\ninformation security policies, procedures, and practices, and (2) agency\ncompliance with the information security requirements of FISMA and other\nfederal information security policies, procedures, standards, and guidelines.\n(A full report on our evaluation was prepared for GAO internal use only.)\nFindings: Overall, the OIG\xe2\x80\x99s evaluation showed that GAO has established an\ninformation security program consistent with the requirements of FISMA,\nOffice of Management and Budget (OMB) implementing guidance, and\nguidance and standards issued by the National Institute of Standards and\nTechnology (NIST). However, it also found that GAO\xe2\x80\x99s information security\npolicies and procedures were not always applied and some could be improved\nto help ensure that they are consistent with the OMB and NIST guidance. In\nparticular, the OIG found the following:\n\xe2\x80\xa2   During fiscal year 2009, GAO greatly increased its systems inventory from\n    12 to 35 systems but did not complete all required security processes and\n    procedures (such as preparing system security plans) for many of the newly\n    added systems.\n\xe2\x80\xa2   GAO\xe2\x80\x99s incident response and handling procedures investigate security\n    events, such as a denial of service attack, but deciding whether to classify\n    such events as incidents\xe2\x80\x94and, thus, to consider reporting them to other\n    external organizations\xe2\x80\x94needs additional management involvement.\n\xe2\x80\xa2   GAO has continued to make progress in establishing its privacy program\n    and protecting personally identifiable information, but implementing\n    additional requirements, such as providing annual privacy awareness\n    training, would help further strengthen this program.\nRecommendations: This report includes recommendations for GAO to\n(1) complete and document required information security processes and\nprocedures for all systems in the systems inventory, (2) modify the agency\xe2\x80\x99s\nincident handling and response procedures to increase Chief Information\nOfficer involvement in the incident classification process to help ensure that\nsecurity events are appropriately classified and reported, and (3) continue\nefforts to implement additional requirements for the agency\xe2\x80\x99s privacy program.\nIn commenting on a draft of the report, GAO concurred with these\nrecommendations and described actions it is undertaking to address them.\n\n\n\n\n                                                                    GAO/OIG-10-3\n\x0c'